Author Archive - Justine Paredes (Technical Communications)

A US-CERT advisory posted December 10 warns users to be wary of opening Microsoft Access Database (.MDB) files received in emails. A stack buffer overflow vulnerability caused by a specially crafted .MDB file can cause code to execute without requiring any user interaction. When exploited, the said vulnerability allows malicious users to install files on affected systems.

Trend Micro detects the exploit as HKTL_MDBEXP.A, which takes advantage of the Microsoft Jet Engine MDB File Parsing Stack Overflow Vulnerability. Once this hacking tool has exploited a vulnerable target, malicious users can execute certain commands on an affected system. Research Project Manager Ivan Macalintal says it’s already being seen in Korea.

Although .MDB files are not usually seen by the common user, they are easily executed provided the user has Microsoft Access installed. Add a good deal of social engineering, and the user may be prompted to open the malicious .MDB file. Microsoft has also issued a warning that .MDB files are exclusively designed for executing commands, so users should be careful in accepting or downloading them, especially when these do not come from legitimate sources.

This is the second time this month an .MDB file was reported, the first one involved a Trojan which used a vulnerability to drop and execute other malicious files.

In this regard, US-CERT warns the public:

Do not open attachments from unsolicited email messages

Block high-risk file attachments at email gateways

Trend Micro couldn’t agree more. This warning extends not only to .MDB files, but to other attachments received via unsolicited mails as well.

There have been reports of a vulnerability in XunleiThunder PPlayer‘s ActiveX control, a component of the Chinese software Xunlei Thunder 5.7.4 40.

TrendLabs Researcher Jonell Baltazar reveals that the talked about vulnerability on Xunlei Thunder is in the file pplayer.dll (version 1.2.3.49) included in the Thunder 5.x software package, specifically in the “FlvPlayerUrl” method where passing a specially crafted string can cause an overflow within the program and can lead to code execution.

This vulnerability is also being actively exploited. It is included in one of the malicious Web pages as a result of the iFrames found while visiting gameige.com. The related blog entry can be found here.

Until a patch is created by the software vendor, it is advisable to refrain from using the said software. In the meantime, a possible workaround is to set the kill bit for the CLSID F3E70CEA-956E-49CC-B444-73AFE593AD7 in order to disable the vulnerable ActiveX Control in Internet Explorer.

Job hunters are in danger yet again. Monster.com, a job-seeking site, has been attacked for the second time, affecting Monster Company Boulevard, in particular.

The said page was said to contain an iFrame, which redirected users to servers hosting Neosploit, The Registerreported. Neosploit is said to be as destructive as Icepack and Mpack, two of the more known exploit kits. The said attack sabotaged searches for well-known companies such as Toyota, Eddie Bauer, and Best Buy, making the exploit successful, as many people are probably seeking for jobs from companies as huge as the said three.

This latest attack is a sequel to another Monster.com hacking where user names were stolen by hackers for phishing and spamming purposes.

A spokesman from Monster.com assured users that the Web site is now up and running, and that the sabotaged pages have been restored. It was also said that only a small percentage of users were affected. This is the good news. But the bad news, and the one that matters more, is that there is no guarantee that these incidents won’t happen again. We should remember that this is already the second time. Who knows if there would be a third, a fourth and, a fifth?

Caution should be practiced by online job-seekers out there. Before they can even get employed, the bad guys are already out there to get them.

Stealing login information from online games and other social networking sites is old news. Because it’s so common, it doesn’t seem to be much of a big deal. However, when real money is involved and people get arrested, that’s when things get messy.

Just recently, a Dutch teenager was arrested for stealing almost $6000 worth of virtual furniture from users of the Habbo Hotel, a teenage chat room and gaming Web site.

The concept of Habbo Hotel is that virtual furniture is purchased and/or traded by the community members in order to furnish their respective “hotel rooms”. Purchasing and trading are made possible through “credits”, which are paid with real money.

According to the site’s owner, fake Habbo Web sites were created, drawing players to access them. The visitors’ user names and passwords were then collected from these spoofed sites in order for the hackers to access the real user accounts on the real Habbo Web site. Virtual furniture was then stolen from the victims’ accounts, hence also collecting cold, hard cash.

This kind of phishing attack serves as a caution, not only to Habbo users, but all Internet users who spend real money on the Net, especially on virtual exchanges. Shelling out money to people we can’t see is never safe. The moolah is sure better spent on furniture that we can actually sit or lie on. Nothing beats the real thing.

Alicia Keys followers might have to be more careful (literally) when visiting her MySpace page. ExploitLabs recently found out that a background image injected into the artist’s page would redirect a carelessly clicking user to malicious sites supposedly located in China. The said inserted background image was said to be prominent enough, that, when a user’s click is misplaced, s/he can already be “transported” to the said malicious sites.

Further analysis and research by TrendLabs reveals that this piece of malicious code has in fact compromised several other MySpace pages — typically those profiled in the site’s “Top Artists” page. In addition, according to Senior Threat Research Ivan Macalintal, the injected code jumps to any one of the following URLs:

From the said Web sites, users are then prompted to download a fake video codec (again), which is actually a “rather nasty Trojan”, according to Ivan. Sounds familiar? Looks like another variant of the DNS-changing ZLOB Trojan, isn’t it?

See the following diagram for a summary of its routines:

Trend Micro detects the injected code as HTML_DLOADER.WLZ, while the ZLOB variant being downloaded as TROJ_ZLOB.DCY.

Although MySpace was said to have fixed the problem, there’s always the possibility of hacks like these to occur in the very near future. An extremely popular social networking site like this offers a lot — millions of people to befriend, access to the most popular musicians and in some cases, even partners for life. Aside from the good stuff, its popularity has also been taken advantage of by hackers, and they have proven to be successful. With the infiltration of the page of a huge musical icon like Alicia Keys, who has a fan base reaching millions, those millions may be in for a surprise.

But wait! Here’s the real surprise (or not): Trend Micro Network Architect Paul Ferguson did a little more digging at it seems that the IP addresses of the *.cn sites related to this MySpace hack are actually hosted in servers that are known to be the haven for Russian Business Network (RBN) activities in the past!

So… from the looks of it, it seems RBN “poofing” out of the picture is indeed not permanent. Look, it’s poofing back in again. As Paul said, “we’re definitely seeing RBN activities shifting to *.cn domains (among others)”.